Home > Software engineering >  how to sanitize sql.js inputs?
how to sanitize sql.js inputs?

Time:10-08

I am using sql.js to manage the SQLite file I created for an electron app. My issue is that I want to make sure all the inputs are sanitized. As of now, I am using statements like so:

const SQL = await sqljs();
const db = new SQL.Database();

// These values are just examples and will be user inputs through electron.
let id = 1;
let name = 'row name';

db.run(`INSERT INTO tableName VALUES (${}, 'hello');`);

I'm pretty sure that this way is unsafe and can cause SQL injections. What can I do to prevent such a problem? Thank you kindly.

CodePudding user response:

You can use bound parameters. These are values that are passed to the database engine and not parsed as part of a SQL statement:

let id = 1;
let name = 'row name';

/* Either pass in a dictionary to use named bound parameters */
db.run("INSERT INTO tableName VALUES(:id, :name)", { ':id': id, ':name': name });

/* Or an array to use positional bound parameters */
db.run("INSERT INTO tableName VALUES(?, ?)", [id, name]);

More information is available in the SQLite documentation, as well as sqljs documentation.

  • Related